Avoiding SSL “You are about to be redirected to a connection that is not secure.” message

Question

I have a login screen which I\'m serving over SSL. The user fills in their login/password, this gets POSTed to the server. At this point I want to jump out of SSL, so I re

Answer 1

Use SSL for the whole page in the first place!

There's nothing wrong with SSL. You should provide user privacy everywhere, not only on login. It makes sense an the whole site. So simply redirect all non-SSL pages to SSL pages and keep everything SSL.

Answer 2

"How can I avoid this?"

You shouldn't!

Although you could try that with JavaScript. This might work on some browsers and fail on others.

"What's the purpose of this dialog?"

It warns because switching between SSL and non-SSL on websites is usually unexpected by the user. A warning about the "non-SSL to SSL" is not emitted since it increases security and privacy. However, when security is suddenly decreased, the user should notice that quickly, in order to avoid a false feeling of security. In fact, redirecting to a non-SSL site is sometimes used in XSS/MITM attacks.

"SSL is going to cause an increase in traffic / processing power"

This is nonsense. It might be true for sites full of big, static content. However, for normal dynamic web applications, encryption is very cheap compared to business logic, database access, etc.

There is an urban legend saying that SSL-content is not chached by browsers. See "Will web browsers cache content over https" for more information.

"Yahoo does it. Yahoo is a big technical company. Are you smarter than Yahoo?"

Some rhetoric counter-questions:

• Are you a big technical company like Yahoo?
• Did being a big technical company prevent Microsoft from producing crappy software?
• Do you have to support crappy old (SSL-broken) browsers, as Yahoo has to?

Answer 3

As for the purpose: It's to make you aware that your connection won't be SSL encrypted anymore. You may have seen before that the connection is encrypted and may think that it still is, so this warning says "Just to be clear, whatever data you send from here on will be plaintext".

As for how to suppress it: AFAIK you can't, it's a browser thing, what would be the point of the message otherwise? Even though there are workarounds like client-side redirects, I don't think you should try to work around client "problems" like this. If the browser chooses to be verbose, let it. There's a "Don't show this again" checkbox on the dialog after all If the user wishes to suppress this message he can easily do so, and maybe he actually likes to see it.
Also, IMHO, if the browser was worth its salt it would still pop up this warning, even if you employed client-side redirect tricks.

Answer 4

Just point your client to the latest attacks against mixed mode content (lookup CookieMonster on fscked.org) and proxy attacks (against sites available both in http and https, lookup Pretty-Bad-Proxy). He might reconsider.

It is much easier to get security right if you only deal with one protocol without mixing the two. SSL adds a bit of overhead, but it is nothing compared to the cost of a breach.

Answer 5

The attack this is preventing against is a man-in-the-middle SSL session strip. The message is there with good cause.

Answer 6

I've hit this same problem a while back. So I had a look inside fiddler to see how yahoo mail does it. Here's the step I saw (and used on my site):

User fills in SSL encrypted form, and POSTs to the server. Server authenticates, and spits out some script to redirect the client

<script language="JavaScript">
<!--
window.location.replace("~~ non-SSL URL ~~");
// -->
</script>

I figure the client side code is there to avoid this dialog.